M·A·G·I·C

Privacy Policy

Last updated: 2026-04-24

M.A.G.I.C. is a Magic: The Gathering deck consistency analyzer. This policy explains what we collect, why, how long we keep it, and how you can have it deleted. It is written in plain English. If any clause is unclear, email us at the address below and we will rewrite it.

1. Who we are

M.A.G.I.C. is operated by an individual data controller:

This policy describes the M.A.G.I.C. beta (self-hosted, personal scale). Please contact us at the email above for any privacy question, access request, or deletion request before filing a complaint.

2. What we collect

We only collect what is necessary to operate the product. Nothing is sold, rented, or shared with advertising networks.

2.1 Account data

  • Email address (used for login and transactional email).
  • Display name (shown publicly on any deck you publish to Community).
  • Password, stored as a bcrypt hash. We cannot read the original value.

2.2 Product data

  • Decks you create (mainboard, sideboard, MAGIC tags, combo groups, thresholds, description, tags).
  • Deck versions you publish, the comments and likes on community decks, simulation results cached server-side.
  • Card data mirrored from Scryfall (names, mana costs, oracle text, images) — not personal data.

2.3 Optional integration data

  • If you enable AI Coach insights, the deck you published (not your account data) is sent to OpenAI for analysis. Results are cached on our server keyed by deck version. You can turn this off per-deck.

2.4 Security & operational data

  • Audit logs of authentication events (login, signup, failed login, self-deletion) and administrative actions. These include your user ID, email, IP address, and user-agent string. Retained to detect unauthorized access.
  • Request logs (HTTP method, path, status code, response time) — not tied to individual users in most cases.

2.5 What we do not collect

  • No advertising cookies, no tracking pixels, no third-party analytics scripts.
  • Essential cookies only: a single authentication token stored in your browser's localStorage to keep you signed in. No consent banner is required because we run no analytics.
  • Deck drafts and import previews may be staged in your browser's IndexedDB before they are saved to your account.

3. Why we process it

  • Contract (GDPR Art. 6(1)(b)): operate the service you signed up for — account management, storing your decks, producing simulation + AI insights you requested.
  • Legitimate interest (GDPR Art. 6(1)(f)): security audit logs, abuse prevention, debugging, maintaining service integrity.
  • Consent (GDPR Art. 6(1)(a)): optional features — AI Coach, publishing decks to Community. You can disable these any time.

4. Who processes it on our behalf

M.A.G.I.C. runs on infrastructure provided by the following processors. All have signed a GDPR-compliant Data Processing Agreement, and all relevant data stays in the EU.

  • Hetzner Online GmbH — hosting (server + MongoDB). Data centre: Nuremberg (NBG1), Germany.
  • Cloudflare, Inc. — CDN, tunnel, WAF, DDoS protection. Traffic routed via the Cloudflare EU network.
  • Scryfall— we fetch card data (names, oracle text, images) from Scryfall's public API. No user data is sent to Scryfall.
  • OpenAI — if (and only if) you request an AI Coach analysis, the structure of the deck you published is sent to OpenAI for critique. OpenAI is a separate data controller for that request.

5. How long we keep it

  • Active accounts: indefinitely, until you delete your account.
  • Deleted accounts: every user-scoped record (decks, deck versions, simulations, insights, comments, likes) is purged immediately.
  • Audit logs after deletion: retained for up to 6 months in anonymized form (no user ID, no email) for security and abuse investigations under GDPR Art. 6(1)(f).
  • Backups: encrypted off-site snapshots retained for 30 days; restoration only occurs in recovery scenarios, after which deleted-account data is re-purged.

6. Your rights

Under GDPR (and equivalent laws in the UK, Switzerland, and elsewhere in the EEA) you have the right to:

  • Access — see what we store about you. Most of it is visible in Settings; for anything else, email us.
  • Rectification— correct inaccurate data. Edit your profile in Settings, or email us for fields that aren't editable in the UI.
  • Erasure (right to be forgotten) — delete your account and all associated data. Go to Settings → Account & privacy → Danger zone. Deletion is immediate and irreversible.
  • Portability— receive a machine-readable export of your data. For individual decks, use the “Export as M.A.G.I.C. JSON” option in Library. For a full-account export, email us; we'll respond within 30 days.
  • Restriction / objection — email us to pause processing of your data for a specific purpose.
  • Complaint — lodge a complaint with your national data protection authority if you believe your rights have been violated. In Italy: Garante per la Protezione dei Dati Personali (garanteprivacy.it).

7. Security

We implement industry-standard measures appropriate to the scale of the service:

  • TLS 1.2+ for all traffic, HSTS enabled.
  • Passwords bcrypt-hashed.
  • Origin server reachable only via Cloudflare Tunnel; no public TCP ports are open on the VPS.
  • Administrator access restricted to Tailscale-only SSH with hardware key authentication.
  • Rate limiting on authentication endpoints; WAF at the Cloudflare edge.
  • Audit logging of authentication and administrative events.

No system is perfectly secure. In the unlikely event of a breach affecting your data, we will notify you by email without undue delay and, where required, notify the competent supervisory authority within 72 hours.

8. Children

M.A.G.I.C. is not directed at children under 16. If you believe a child has provided us with personal data, contact us and we will delete the account.

9. International transfers

We only use processors that store and process EU user data within the EEA (with the exception of OpenAI, which you opt into explicitly by requesting AI analysis). If a processor transfers data outside the EEA, the transfer is governed by Standard Contractual Clauses as approved by the European Commission.

10. Changes to this policy

We may update this policy as the product evolves. Material changes will be communicated via email to registered users at least 14 days before taking effect. Continued use of the service after the effective date constitutes acceptance.